Secure Section Macro

This is a suggestion to create a new Macro/Plugin that worked similar to the Column Macro with the major difference being when the user edits the Macro they are allowed to select user and group access options. The idea is that if the user/group is not selected in the access list then this Macro a...

Secure Section Macro

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-23637. panel This is a suggestion to create a new Macro/Plugin that worked similar to the Column Macro with the major differenc...

Actions doeditpage,domovepage,docreatepage do not require XSRF token

When checking the application for security leaks, I found that the actions doeditpage, domovepage and docreatepage explicitly set the requireSecurityToken=false in the xwork.xml. This could be a possible leak in an attack scenario. Is there a reason, why these actions should not require the...

Actions doeditpage,domovepage,docreatepage do not require XSRF token

When checking the application for security leaks, I found that the actions doeditpage, domovepage and docreatepage explicitly set the requireSecurityToken=false in the xwork.xml. This could be a possible leak in an attack scenario. Is there a reason, why these actions should not require the...

Actions doeditpage,domovepage,docreatepage do not require XSRF token

When checking the application for security leaks, I found that the actions doeditpage, domovepage and docreatepage explicitly set the requireSecurityToken=false in the xwork.xml. This could be a possible leak in an attack scenario. Is there a reason, why these actions should not require the...

A number of XSS holes found during QA bltiz

See Mark H and Coreys blitz pages for details...

Visual clues to native vs. ldap users and groups

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-23355. panel In a mixed environment with Confluence and LDAP users and groups, it would be helpful when administering users and...

Visual clues to native vs. ldap users and groups

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-23355. panel In a mixed environment with Confluence and LDAP users and groups, it would be helpful when administering users and...

Visual clues to native vs. ldap users and groups

In a mixed environment with Confluence and LDAP users and groups, it would be helpful when administering users and groups to see if they belong in LDAP or Confluence. Perhaps different color icons...

View PDF Macro in Office Connector makes http fetch from Adobe from https session

The View PDF macro within the Office Connector plugin provides the following http URL even for https sessions when a user's browser fails the Flash installed test. http://www.adobe.com/images/shared/downloadbuttons/getflashplayer.gif It's bad form to mix http urls in with secured https sessions a...

View PDF Macro in Office Connector makes http fetch from Adobe from https session

The View PDF macro within the Office Connector plugin provides the following http URL even for https sessions when a user's browser fails the Flash installed test. http://www.adobe.com/images/shared/downloadbuttons/getflashplayer.gif It's bad form to mix http urls in with secured https sessions a...

View PDF Macro in Office Connector makes http fetch from Adobe from https session

The View PDF macro within the Office Connector plugin provides the following http URL even for https sessions when a user's browser fails the Flash installed test. http://www.adobe.com/images/shared/downloadbuttons/getflashplayer.gif It's bad form to mix http urls in with secured https sessions a...

XSS Vulnerability in Administration Interface of JIRA Bamboo Plugin

We have identified and fixed a cross-site scripting XSS vulnerability in JIRA administration interface. Affected version is JIRA 4.3.x XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page. You can read more about XSS attacks at various places on the web...

XSS Vulnerability in Administration Interface of JIRA Bamboo Plugin

We have identified and fixed a cross-site scripting XSS vulnerability in JIRA administration interface. Affected version is JIRA 4.3.x XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page. You can read more about XSS attacks at various places on the web...

XSS Vulnerability in Administration Interface of JIRA Bamboo Plugin

We have identified and fixed a cross-site scripting XSS vulnerability in JIRA administration interface. Affected version is JIRA 4.3.x XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page. You can read more about XSS attacks at various places on the web...

Inline attachment downloads vulnerable to XSS by setting tweaked HTML content type

Please see CONFDEV-9069 https://jira.atlassian.com/browse/CONFDEV-9069 for the current issue addressed at fixing attachment XSS vulnerabilities. --- TLDR: white-list mime-types which can be served "inline" and don't let the user set arbitrary mime-types. I have been having a good laugh sorry...

Inline attachment downloads vulnerable to XSS by setting tweaked HTML content type

Please see CONFDEV-9069 https://jira.atlassian.com/browse/CONFDEV-9069 for the current issue addressed at fixing attachment XSS vulnerabilities. --- TLDR: white-list mime-types which can be served "inline" and don't let the user set arbitrary mime-types. I have been having a good laugh sorry...

Better error message when viewing an embedded calendar as an unprivileged user

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-51101. panel On our site's dashboard I have a calendar macro defined as:...

Better error message when viewing an embedded calendar as an unprivileged user

On our site's dashboard I have a calendar macro defined as: codecalendar:id=8f564b4b-afed-4ceb-b206-2e426f595648,a80c628d-5155-40bc-8a55-0874fb77bf71code The result is something that looks like this: !User with View Rights.JPEG! After using the new features from TEAMCAL-102 to restrict view acces...

Better error message when viewing an embedded calendar as an unprivileged user

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-51101. panel On our site's dashboard I have a calendar macro defined as:...

make space admin able to see restricted pages in his own space

This is a request to make space admins able to see the content of restricted pages in their own spaces. Currently only confluence-administrators can do that...

make space admin able to see restricted pages in his own space

This is a request to make space admins able to see the content of restricted pages in their own spaces. Currently only confluence-administrators can do that...

JIRA FishEye plugin not working - Error handling trusted applications authentication attempt: BAD_SIGNATURE

This bug effects you if: you are running JIRA 4.4+ and FishEye 2.6.0-2.6.3 you have Trusted Applications authenticating the link between your JIRA and FishEye servers If you attempt to configure or use the JIRA FishEye plugin, you may see errors in the UI and log messages like this in JIRA:...

JIRA FishEye plugin not working - Error handling trusted applications authentication attempt: BAD_SIGNATURE

This bug effects you if: you are running JIRA 4.4+ and FishEye 2.6.0-2.6.3 you have Trusted Applications authenticating the link between your JIRA and FishEye servers If you attempt to configure or use the JIRA FishEye plugin, you may see errors in the UI and log messages like this in JIRA:...

Members of confluence-administrators group can browse to restricted pages

Expected behaviour is that a Confluence admin can view a page restricted to others by hitting the URL directly to help resolve any permission issues. In 3.5.x the admins can also browse to these pages via Browse Pages...

Members of confluence-administrators group can browse to restricted pages

Expected behaviour is that a Confluence admin can view a page restricted to others by hitting the URL directly to help resolve any permission issues. In 3.5.x the admins can also browse to these pages via Browse Pages...

Members of confluence-administrators group can browse to restricted pages

Expected behaviour is that a Confluence admin can view a page restricted to others by hitting the URL directly to help resolve any permission issues. In 3.5.x the admins can also browse to these pages via Browse Pages...

Password History Count does not work for ATLASSIAN-SECURITY directories

Testing this locally on Crowd 227, I set the password history count to 1, then tried resetting my password through the interface and through 'Forgot Password' e-mail link, but was able to consistent use old passwords. I also expired the password, forcing a password change, but that also let me...

Password History Count does not work for ATLASSIAN-SECURITY directories

Testing this locally on Crowd 227, I set the password history count to 1, then tried resetting my password through the interface and through 'Forgot Password' e-mail link, but was able to consistent use old passwords. I also expired the password, forcing a password change, but that also let me...

Enable X-FRAME-Options header to implement clickjacking protection

TLDR: Add X-FRAME-Options: SAMEORIGIN to all HTTPS pages server config, and test that nothing breaks. --- Description: Current HTTP headers do not contain the X-FRAME-Option, which helps prevents against Clickjacking attacks. A Clickjacking attack is similar to CSRF in which attacker can hijack a...

Enable X-FRAME-Options header to implement clickjacking protection

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-25143. panel TLDR: Add X-FRAME-Options: SAMEORIGIN to all HTTPS pages server config, and test that nothing breaks. --- Description: Current...

Enable X-FRAME-Options header to implement clickjacking protection

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-25143. panel TLDR: Add X-FRAME-Options: SAMEORIGIN to all HTTPS pages server config, and test that nothing breaks. --- Description: Current...

Enable X-FRAME-Options header to implement clickjacking protection

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-25143. panel TLDR: Add X-FRAME-Options: SAMEORIGIN to all HTTPS pages server config, and test that nothing breaks. --- Description: Current...

Enumeration of usernames possible in Jira

We found enumeration of usernames to be possible in Jira 4.3.4 despite the login failure message not revealing whether it was the username or password that was incorrect. After 3 failed login attempts a captcha appears only if the user exists, otherwise not. This allows an attacker to enumerate t...

Enumeration of usernames possible in Jira

We found enumeration of usernames to be possible in Jira 4.3.4 despite the login failure message not revealing whether it was the username or password that was incorrect. After 3 failed login attempts a captcha appears only if the user exists, otherwise not. This allows an attacker to enumerate t...

Enumeration of usernames possible in Jira

We found enumeration of usernames to be possible in Jira 4.3.4 despite the login failure message not revealing whether it was the username or password that was incorrect. After 3 failed login attempts a captcha appears only if the user exists, otherwise not. This allows an attacker to enumerate t...

GeneralUtil.htmlEscapeQuotes should be annotated HtmlSafe

The GeneralUtil.htmlEscapeQuotes method outputs HTML and thus should be annotated as @HtmlSafe. Not doing so causes its output to be double escaped when automatic escaping is enabled for the plugin/velocity template...

GeneralUtil.htmlEscapeQuotes should be annotated HtmlSafe

The GeneralUtil.htmlEscapeQuotes method outputs HTML and thus should be annotated as @HtmlSafe. Not doing so causes its output to be double escaped when automatic escaping is enabled for the plugin/velocity template...

GeneralUtil.htmlEscapeQuotes should be annotated HtmlSafe

The GeneralUtil.htmlEscapeQuotes method outputs HTML and thus should be annotated as @HtmlSafe. Not doing so causes its output to be double escaped when automatic escaping is enabled for the plugin/velocity template...

Support web sudo and other password confirmation features with custom authenticators

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-22875. panel By default, web sudo and other password confirmation features in Confluence 3.5 and later are disabled if a custom...

Support web sudo and other password confirmation features with custom authenticators

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-22875. panel By default, web sudo and other password confirmation features in Confluence 3.5 and later are disabled if a custom...

Support web sudo and other password confirmation features with custom authenticators

By default, web sudo and other password confirmation features in Confluence 3.5 and later are disabled if a custom authenticator is detected. However, there is an override flag that was added as part of CONF-20958 that allows administrators to turn it on again. If it is turned on manually, in mos...

Web Sudo should be able to be subverted for non browsers (eg scripts) via a HTTP header

We do this for XSRF protection. Basically you should be able to subvert the web sudo mechanism via a HTTP header. This posts shows the use case https://answers.atlassian.com/questions/1273/jira-jelly-runner-via-cron-in-v4-3-4 I believe it just as secure since web sudo is really design to stop som...

Web Sudo should be able to be subverted for non browsers (eg scripts) via a HTTP header

We do this for XSRF protection. Basically you should be able to subvert the web sudo mechanism via a HTTP header. This posts shows the use case https://answers.atlassian.com/questions/1273/jira-jelly-runner-via-cron-in-v4-3-4 I believe it just as secure since web sudo is really design to stop som...

Web Sudo should be able to be subverted for non browsers (eg scripts) via a HTTP header

We do this for XSRF protection. Basically you should be able to subvert the web sudo mechanism via a HTTP header. This posts shows the use case https://answers.atlassian.com/questions/1273/jira-jelly-runner-via-cron-in-v4-3-4 I believe it just as secure since web sudo is really design to stop som...

On internal error, JIRA will display error information to the user (in the browser)

When JIRA bundled tomcat?? encounters an internal error it displays error information to the user in the browser. This can leak internal, possibly sensitive, information. It should report that there was an error and inform the user to contact their JIRA admin...

On internal error, JIRA will display error information to the user (in the browser)

When JIRA bundled tomcat?? encounters an internal error it displays error information to the user in the browser. This can leak internal, possibly sensitive, information. It should report that there was an error and inform the user to contact their JIRA admin...

On internal error, JIRA will display error information to the user (in the browser)

When JIRA bundled tomcat?? encounters an internal error it displays error information to the user in the browser. This can leak internal, possibly sensitive, information. It should report that there was an error and inform the user to contact their JIRA admin...

logout.action is not protected against XSRF - CVE-2012-6342

Cross-site request forgery CSRF vulnerability in logout.action in Atlassian Confluence 3.4.6 allows remote attackers to hijack the authentication of administrators, for requests that logout the user via a comment...

logout.action is not protected against XSRF - CVE-2012-6342

Cross-site request forgery CSRF vulnerability in logout.action in Atlassian Confluence 3.4.6 allows remote attackers to hijack the authentication of administrators, for requests that logout the user via a comment...